CVE-2025-59698 – This vulnerability allows a physically proximat... (How to Fix)

Q: What is the severity of CVE-2025-59698?

CVE-2025-59698 has a CVSS score of 6.8 (MEDIUM). This vulnerability allows a physically proximate attacker to access the legacy bootloader on affected Entrust nShield hardware security modules. This could potentially lead to unauthorized access to cryptographic keys or device tampering. Organizations using Entrust nShield Connect XC, nShield 5c, or nShield HSMi devices are affected.

📋 TL;DR

This vulnerability allows a physically proximate attacker to access the legacy bootloader on affected Entrust nShield hardware security modules. This could potentially lead to unauthorized access to cryptographic keys or device tampering. Organizations using Entrust nShield Connect XC, nShield 5c, or nShield HSMi devices are affected.

💻 Affected Systems

Products:

Entrust nShield Connect XC
Entrust nShield 5c
Entrust nShield HSMi

Versions: Through 13.6.11, or 13.7

Operating Systems: Not OS-dependent - hardware vulnerability

Default Config Vulnerable: ⚠️ Yes

Notes: Affects physical hardware security modules, not software installations. Requires physical access to the device.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains physical access to device, extracts cryptographic keys, compromises all encrypted data protected by the HSM, and potentially installs malicious firmware.

🟠

Likely Case

Physical attacker gains limited access to bootloader functions, potentially disrupting HSM operations or extracting limited configuration data.

🟢

If Mitigated

With proper physical security controls, the vulnerability has minimal impact as it requires physical proximity and access to the device.

🌐 Internet-Facing: LOW - This vulnerability requires physical access to the device and cannot be exploited remotely.

🏢 Internal Only: MEDIUM - Physical access to data center or server room is required, making internal threats with physical access a concern.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires physical access to the device and knowledge of hardware bootloader manipulation techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 13.6.11 and 13.7

Vendor Advisory: https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj

Restart Required: Yes

Instructions:

1. Contact Entrust support for firmware update. 2. Schedule maintenance window. 3. Backup HSM configuration. 4. Apply firmware update following vendor instructions. 5. Verify update and restore configuration if needed.

🔧 Temporary Workarounds

Enhanced Physical Security

all

Implement strict physical access controls to prevent unauthorized personnel from accessing HSM devices.

Secure Boot Configuration

all

Configure secure boot settings if supported by the device to restrict bootloader access.

🧯 If You Can't Patch

Implement strict physical security controls including locked cabinets, access logs, and surveillance
Isolate HSM devices in secure areas with limited personnel access

🔍 How to Verify

Check if Vulnerable:

Check firmware version via HSM management interface or CLI. Vulnerable if version is 13.6.11 or earlier, or exactly 13.7.

Check Version:

Use HSM management tools: 'nfast status' or check via HSM management console

Verify Fix Applied:

Verify firmware version is updated beyond vulnerable versions (after 13.6.11 and 13.7).

📡 Detection & Monitoring

Log Indicators:

Physical access logs showing unauthorized entry to HSM location
HSM boot sequence anomalies

Network Indicators:

None - this is a physical access vulnerability

SIEM Query:

Search for physical access control system alerts for HSM locations

📊 Metadata

CVE ID: CVE-2025-59698

CVSS v3 Score: 6.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-1270

EPSS Score: 0.03% exploit probability (9.7th percentile)

Published: December 2, 2025

Last Updated: December 8, 2025

🔗 References

https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj Exploit,Third Party Advisory
https://www.entrust.com/use-case/why-use-an-hsm Product
https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-59698, you might also want to check these: